Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site-to-site VPN using non RFC1918 addresses inside the tunnel

I'm curious.

We set up many site-to-site VPNs to customer sites so our analysts can work on customer systems.

I just got a request from a customer that they will not allow RFC1918 addresses (private space IP addresses) to traverse the tunnel. So I have to NAT the RFC1918 addresses that will traverse the tunnel to a public address before they enter the tunnel. This seems odd to me. Can anyone tell me why they would not allow RFC1918 addresses to traverse the tunnel between our side and their side ?

Thanks

4 REPLIES
Super Bronze

Site-to-site VPN using non RFC1918 addresses inside the tunnel

Hi,

I would say that usually Private IP addresses/subnets are used in L2L VPN connections. And if there is overlap then usually another Private IP address/subnet is used as NAT IP addresses to mask the overlapping networks.

Its been a very rare occurance that the remote end would have actually demanded that Public IP address space would be used.

What the reason is I am not sure. It might be that they want to be 100% sure that there is no chance of address overlap now and in the future as you would be using unique IP addresses on the L2L VPN.

I can't think of a reason other than the one I mentioned above.

- Jouni

New Member

Site-to-site VPN using non RFC1918 addresses inside the tunnel

Thanks for your reply Jouni.

     Yeah, I also thought it was because of the possibility of private address space overlap. But on our end of the tunnel I can adjust to whatever private address space is needed to avoid any overlap because this is a dedicated connection for just this one project. I'll pose the question to our customer on this project to see if he can explain the requirement.

Super Bronze

Site-to-site VPN using non RFC1918 addresses inside the tunnel

Hi,

It might be a policy on their side so there is no other choice for the person in question. Or it might even be that all the connections so far have been configured in that way so they dont want to deviate from that way of doing things.

Every now and then I run into strange requirements from the remote side that dont seem to make sense. Most of the time I might accept it unless it goes against something on our end.

The actual setup of using public IP address on your side would not be a problem though. You can easily even use your WAN interface IP address as the source for all your tunneled traffic.

- Jouni

New Member

Site-to-site VPN using non RFC1918 addresses inside the tunnel

That's a good point. I thought of using the WAN interface IP. But strange thing is he wants a one to one IP mapping of the  IPs that will traverse the tunnel. So if I have 10 analysts on my end needing to access systems on their end I have to take the local 10.x.x.x addresses and NAT them to 10 unique public addresses.

-Dave

244
Views
0
Helpful
4
Replies
CreatePlease to create content